On July 20, 2023, the Federal Trade Commission (“FTC”) and the Office for Civil Rights of the United States Department of Health and Human Services (“OCR”) announced that they had sent a warning letter to about 130 hospital systems and telehealth providers, alerting them about the risks and concerns of using online tracking technologies, such as the Meta/Facebook pixel and Google Analytics, which can track users’ online activities.

In the letter, the FTC and OCR reiterated the risks posed by the unauthorized disclosure of an individuals’ personal health information—such as health conditions, diagnoses, and medications, among other items—to third parties. These concerns, particularly as they related to the use of online tracking technologies by HIPAA Covered Entities and Business Associates, were highlighted in OCR’s Bulletin issued last year and about which we previously wrote.

The FTC also reminded companies not covered by HIPAA that they still have a responsibility to protect against the unauthorized disclosure of personal health information, highlighting its recent enforcement actions against BetterHelp and GoodRx, about which we also previously wrote.  Such enforcement actions related to those companies’ sharing of health information with third parties that use online tracking technologies integrated into the companies’ websites and apps without users’ awareness. 

Additional information about the risks relating to online tracking technologies can be found on the FTC’s Blog.  We will continue to monitor for additional enforcement actions in this area.